1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup (#7970)

Fixes #7962

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
treydock 2023-08-07 08:24:53 -04:00 committed by GitHub
parent 7415c1a3d4
commit 0b5f9a0f25
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 0 deletions

View file

@ -60,3 +60,5 @@ annotations:
description: allow affinity settings for cleanup jobs
- kind: added
description: Add helper to handle the labels for cleanup jobs, add component label
- kind: added
description: allow podSecurityContext and securityContext for webhooksCleanup

View file

@ -616,11 +616,13 @@ The chart values are organised per component.
| webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod |
| webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
| webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate |
| webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
| webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
### Test

View file

@ -15,6 +15,10 @@ spec:
template:
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
{{- with .Values.webhooksCleanup.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.webhooksCleanup.imagePullSecrets }}
imagePullSecrets:
@ -31,6 +35,10 @@ spec:
sleep 30
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
{{- with .Values.webhooksCleanup.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.webhooksCleanup.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}

View file

@ -308,6 +308,9 @@ webhooksCleanup:
# -- Image pull secrets
imagePullSecrets: []
# -- Security context for the pod
podSecurityContext: {}
# -- Node labels for pod assignment
nodeSelector: {}
@ -323,6 +326,20 @@ webhooksCleanup:
# -- Node affinity constraints.
nodeAffinity: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
grafana:
# -- Enable grafana dashboard creation.
enabled: false